The Irish Data Protection Commissioner (DPC) now has 10 statutory inquiries into Facebook, representing over a fifth of all such inquiries and two thirds of its probes into multinational firms.
The watchdog’s latest annual report shows a slew of complaints and breach notifications concerning Facebook and its subsidiaries of Instagram and WhatsApp.
These include last September’s so-called ‘token breach’, where up to five million Irish and European users were affected with some 30m accounts worldwide put at risk to hackers.
Dublin DataSec 2019, Ireland’s data protection conference, takes place on April 30. For further information and tickets click here.
Under the EU's new GDPR rules, Facebook faces a fine of over €2bn in a worst-case scenario.
Under European GDPR privacy law, offences come with a potential fine of up to 4pc of annual turnover or €20m. The regulation also facilitates the Irish DPC as Facebook’s European regulator.
The DPC report says that some of the investigations were “commenced in response to a large number of breaches notified to the DPC during the period since May 25th”.
“We’re in close contact with the DPC and are working with them to answer their questions,” a spokeswoman for Facebook said.
Other DPC investigations into multinational firms include two inquiries into Twitter, also being probed “in response to a large number of breaches notified to the DPC” and one inquiry into Linkedin.
Commissioner Helen Dixon’s office also has 31 separate statutory inquiries underway into local authorities around CCTV and the surveillance of citizens.
“The rise in the number of complaints and queries to data protection authorities across the EU since 25 May 2018 demonstrates a new level of mobilisation to action on the part of individuals to tackle what they see as misuse or failure to adequately explain what is being done with their data,” said the Data Protection Comissioner.
“in 2018 the DPC opened inquiries into data-processing activities of Facebook, Apple, Twitter, LinkedIn, WhatsApp and Instagram, looking at issues ranging from large-scale data breaches to legal bases for processing to transparent presentation to users.
“All of these inquiries should reach the decision and adjudication stage later this year and it’s our intention that the analysis and conclusions in the context of those inquiries will provide precedents for better implementation of the principles of the GDPR across key aspects of internet and ad tech services.”
The DPC’s funding now stands at €11.7 million, compared to €1.7 million in 2013. It has increased its staffing to 135.
“We will recruit an additional 30 staff this year in order to meet the demands of the tasks assigned under the GDPR and to deliver public value in what is an area of critical importance to society,” said Ms Dixon.
In all, the DPC recorded 4,740 data breach notifications in 2018 compared to 2,795 in 2017 and 1,407 in 2013.
Of the 3,542 data breaches recorded since the end of May 2018, 38 of the data breaches “related to 11 multinational tech companies”.
Five entities were prosecuted for electronic direct marketing including Viking Direct and Vodafone. The mobile operator was prosecuted for calling him “every day” for marketing purposes, despite him telling the company that he was not interested in the services being pitched.
A separate investigation has been opened into Tusla “inquiring into the large volume of data breaches which occurred many of which involved special categories of personal data”.
And the DPC has also opened an inquiry into
The data watchdog also noted that its investigation of Independent News and Media under “in relation to the possible unlawful disclosure of data held on company servers to third parties and other potential contraventions of the Data Protection Acts“ was “ongoing” as at December 31st 2018.
The effect of GDPR’s introduction was apparent, the DPC said, with over 1,000 data protection officers appointed in Ireland.
1A recently formed Special Investigations Unit at the DPC opened 31 “own-volition” inquiries under the into “the surveillance of citizens by the state sector for law-enforcement purposes through the use of technologies such as CCTV, body-worn cameras, automatic number-plate recognition enabled systems, drones and other technologies”.